From 997c6eefd8ed7f0f81862dc3727d17fd23046629 Mon Sep 17 00:00:00 2001 From: Yaroslav Tykhiy Date: Sun, 17 Jun 2007 17:25:53 +0000 Subject: Add PAM support to cron(8). Now cron(8) will skip commands scheduled by unavailable accounts, e.g., those locked, expired, not allowed in at the moment by nologin(5), or whatever, depending on cron's pam.conf(5). This applies to personal crontabs only, /etc/crontab is unaffected. In other words, now the account management policy will apply to commands scheduled by users via crontab(1) so that a user can no longer use cron(8) to set up a delayed backdoor and run commands during periods when the admin doesn't want him to. The PAM check is done just before running a command, not when loading a crontab, because accounts can get locked, expired, and re-enabled any time with no changes to their crontabs. E.g., imagine that you provide a system with payed access, or better a cluster of such systems with centralized account management via PAM. When a user pays for some days of access, you set his expire field respectively. If the account expires before its owner pays more, its crontab commands won't run until the next payment is made. Then it'll be enough to set the expire field in future for the commands to run again. And so on. Document this change in the cron(8) manpage, which includes adding a FILES section and touching the document date. X-Security: should benefit as users have access to cron(8) by default --- etc/pam.d/Makefile | 1 + etc/pam.d/cron | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 etc/pam.d/cron (limited to 'etc/pam.d') diff --git a/etc/pam.d/Makefile b/etc/pam.d/Makefile index 9e5746cd13fe..2686cdf740c9 100644 --- a/etc/pam.d/Makefile +++ b/etc/pam.d/Makefile @@ -4,6 +4,7 @@ NO_OBJ= FILES= README \ atrun \ + cron \ ftpd \ gdm \ imap \ diff --git a/etc/pam.d/cron b/etc/pam.d/cron new file mode 100644 index 000000000000..55a3d1048c53 --- /dev/null +++ b/etc/pam.d/cron @@ -0,0 +1,9 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "cron" service +# + +# account +account required pam_nologin.so +account required pam_unix.so -- cgit v1.2.3